feat: Configure Macie on all regions.

jamesiarmes · jamesiarmes · commit af85d33eb83a · 2025-02-28T12:37:17.000-05:00
diff --git a/tofu/config/security-delegate/.terraform.lock.hcl b/tofu/config/security-delegate/.terraform.lock.hcl
diff --git a/tofu/config/security-delegate/main.tf b/tofu/config/security-delegate/main.tf
@@ -25,6 +25,16 @@ module "automations" {
   }
 }
 
+# Configure Macie in each region.
+module "macie" {
+  for_each = toset(["us-east-1", "us-east-2", "us-west-1", "us-west-2"])
+  source   = "../../modules/macie"
+
+  providers = {
+    aws = aws.by_region[each.key]
+  }
+}
+
 output "tfstate_bucket" {
   value = module.backend.bucket
 }
diff --git a/tofu/modules/macie/main.tf b/tofu/modules/macie/main.tf
@@ -0,0 +1,26 @@
+data "aws_region" "current" {}
+
+data "external" "template_id" {
+  program = [
+    "aws", "macie2", "list-sensitivity-inspection-templates", "--query",
+    "sensitivityInspectionTemplates[?name=='automated-sensitive-data-discovery'] | [0] | {id: id}",
+    "--output", "json", "--region", data.aws_region.current.name
+  ]
+}
+
+resource "terraform_data" "template" {
+  depends_on = [data.external.template_id]
+
+  # Trigger replacement when the template file changes.
+  triggers_replace = [
+    filesha256("${path.module}/template.yaml")
+  ]
+
+  provisioner "local-exec" {
+    command = "aws macie2 update-sensitivity-inspection-template --id ${data.external.template_id.result.id} --region ${data.aws_region.current.name} --cli-input-yaml file://${path.module}/template.yaml"
+  }
+}
+
+output "template_id" {
+  value = data.external.template_id.result.id
+}
diff --git a/tofu/modules/macie/template.yaml b/tofu/modules/macie/template.yaml
@@ -0,0 +1,39 @@
+description: Default Template used for Automated Discovery
+excludes:
+  managedDataIdentifierIds: []
+includes:
+  allowListIds: []
+  customDataIdentifierIds: []
+  managedDataIdentifierIds:
+  - ADDRESS
+  - AWS_CREDENTIALS
+  - BANK_ACCOUNT_NUMBER
+  - CREDIT_CARD_EXPIRATION
+  - CREDIT_CARD_MAGNETIC_STRIPE
+  - CREDIT_CARD_NUMBER
+  - CREDIT_CARD_NUMBER_(NO_KEYWORD)
+  - CREDIT_CARD_SECURITY_CODE
+  - DATE_OF_BIRTH
+  - DRIVERS_LICENSE
+  - GCP_API_KEY
+  - HTTP_BASIC_AUTH_HEADER
+  - HTTP_COOKIE
+  - JSON_WEB_TOKEN
+  - LATITUDE_LONGITUDE
+  - MEDICAL_DEVICE_UDI
+  - NAME
+  - OPENSSH_PRIVATE_KEY
+  - PGP_PRIVATE_KEY
+  - PHONE_NUMBER
+  - PKCS
+  - PUTTY_PRIVATE_KEY
+  - USA_HEALTHCARE_PROCEDURE_CODE
+  - USA_HEALTH_INSURANCE_CLAIM_NUMBER
+  - USA_INDIVIDUAL_TAX_IDENTIFICATION_NUMBER
+  - USA_MEDICARE_BENEFICIARY_IDENTIFIER
+  - USA_NATIONAL_DRUG_CODE
+  - USA_NATIONAL_PROVIDER_IDENTIFIER
+  - USA_PASSPORT_NUMBER
+  - USA_SOCIAL_SECURITY_NUMBER
+  - US_DRUG_ENFORCEMENT_AGENCY_NUMBER
+  - VEHICLE_IDENTIFICATION_NUMBER
diff --git a/tofu/modules/macie/versions.tf b/tofu/modules/macie/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.9"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.88"
+    }
+
+    external = {
+      source = "hashicorp/external"
+      version = "~> 2.3"
+    }
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,16 @@ module "automations" {`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
	`28`	`+# Configure Macie in each region.`
	`29`	`+module "macie" {`
	`30`	`+ for_each = toset(["us-east-1", "us-east-2", "us-west-1", "us-west-2"])`
	`31`	`+ source = "../../modules/macie"`
	`32`	`+`
	`33`	`+ providers = {`
	`34`	`+ aws = aws.by_region[each.key]`
	`35`	`+ }`
	`36`	`+}`
	`37`	`+`
`28`	`38`	`output "tfstate_bucket" {`
`29`	`39`	`value = module.backend.bucket`
`30`	`40`	`}`